CVE-2022-45636 – This vulnerability allows attackers to unlock M... (How to Fix)

Q: What is the severity of CVE-2022-45636?

CVE-2022-45636 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to unlock MEGAFEIS and BOFEI DBD+ smart locks without authorization by sending arbitrary API requests to the mobile application. It affects users of the MEGAFEIS/BOFEI DBD+ mobile apps for iOS and Android. The flaw stems from an insecure authorization scheme in the API implementation.

📋 TL;DR

This vulnerability allows attackers to unlock MEGAFEIS and BOFEI DBD+ smart locks without authorization by sending arbitrary API requests to the mobile application. It affects users of the MEGAFEIS/BOFEI DBD+ mobile apps for iOS and Android. The flaw stems from an insecure authorization scheme in the API implementation.

💻 Affected Systems

Products:

MEGAFEIS DBD+ Mobile Application
BOFEI DBD+ Mobile Application

Versions: v1.4.4 and likely earlier versions

Operating Systems: iOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the mobile application's API communication layer. Both iOS and Android versions are affected.

📦 What is this software?

Bofei Dbd\+ by Megafeis

View all CVEs affecting Bofei Dbd\+ →

Bofei Dbd\+ by Megafeis

View all CVEs affecting Bofei Dbd\+ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could unlock any vulnerable smart lock remotely, potentially enabling physical theft, unauthorized access to secured areas, or safety hazards.

🟠

Likely Case

Attackers with network access to the mobile app's API endpoints could unlock specific smart locks without proper authentication.

🟢

If Mitigated

With proper API authorization controls, only authenticated users with appropriate permissions could unlock devices.

🌐 Internet-Facing: HIGH - The mobile app communicates with cloud APIs that are internet-accessible, making remote exploitation possible.

🏢 Internal Only: LOW - The primary attack vector is through internet-facing APIs, though local network attacks might be possible if the app uses local communication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The WithSecure Labs disclosure includes technical details that could be used to create exploit tools. The attack requires understanding of the API structure but doesn't need advanced technical skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found in provided references

Restart Required: No

Instructions:

1. Check for app updates in Apple App Store or Google Play Store. 2. Update to the latest version if available. 3. Contact MEGAFEIS/BOFEI support for patch information.

🔧 Temporary Workarounds

Disable Remote Access

all

Temporarily disable the mobile app's ability to unlock devices remotely

Network Segmentation

all

Restrict network access to the mobile app's API endpoints

🧯 If You Can't Patch

Discontinue use of the vulnerable mobile application for unlocking devices
Implement physical security controls as backup for affected smart locks

🔍 How to Verify

Check if Vulnerable:

Check if you're using MEGAFEIS/BOFEI DBD+ mobile app version 1.4.4 or earlier. Review app permissions and API communication patterns.

Check Version:

Check app version in mobile device settings: iOS Settings > General > iPhone Storage > [App Name]; Android Settings > Apps > [App Name] > App Info

Verify Fix Applied:

Verify app version is updated beyond v1.4.4. Test unlocking functionality with proper authentication requirements.

📡 Detection & Monitoring

Log Indicators:

Unusual API requests to lock/unlock endpoints
Failed authentication attempts followed by successful unlocks
API requests without proper authorization headers

Network Indicators:

Unencrypted or weakly authenticated API calls to smart lock services
Traffic to known vulnerable API endpoints

SIEM Query:

source="mobile_app_logs" AND (event="unlock" OR event="lock") AND auth_status="failed" AND result="success"

📊 Metadata

CVE ID: CVE-2022-45636

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-862

Published: March 21, 2023

Last Updated: February 26, 2025

🔗 References

https://github.com/WithSecureLabs/megafeis-palm/tree/main/CVE-2022-45636 Exploit,Third Party Advisory
https://labs.withsecure.com/advisories/insecure-authorization-scheme-for-api-requests-in-dbd--mobile-co Exploit,Third Party Advisory
https://github.com/WithSecureLabs/megafeis-palm/tree/main/CVE-2022-45636 Exploit,Third Party Advisory
https://labs.withsecure.com/advisories/insecure-authorization-scheme-for-api-requests-in-dbd--mobile-co Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45636, you might also want to check these: